Tweeps and Facebook Friends, Let's Smarten Up

As threats proliferate on our favorite social networking sites, Senior Editor Bill Brenner says it's time to reassess what we're doing before it's too late.

Anyone who knows me understands that social networking is a critical piece of what I do. Every story, podcast, column and slideshow we publish on CSOonline is quickly proliferated via Facebook, LinkedIn, Twitter and elsewhere online. So it might be easy to look at the headline of this column and suggest I'm being a hypocrite.

But this isn't a column against social networking. It's about using the medium more securely.

We've written a lot about social networking security. There was an article about the danger behind applications like Farmville and Mafia Wars. There was the Seven Deadly Sins of Social Networking piece that included such things as oversharing, mixing the personal with the professional and spewing rage in one's posts.

Now there's a report from our friends at Threatpost about a new profile-stalking scam. The post reads: "A bogus application that lures Facebook users by falsely offering to show who has been viewing their profile has been exposed as a scam. A researcher warns he has already identified 25 different copies of the same rogue app but using different monikers such as peeppeep-pro, profile-check-online and stalk-my-profile."

Also see Social Media Risks: The Basics

Heck, I admit guilt in mixing personal with professional, especially on Facebook. I'd estimate my friends list is about half business associates, a quarter friends and a quarter family. Some might also say I'm guilty of oversharing because of the sheer volume of posts I make on these platforms. I've tried to improve on that score. I used to have the year I was born in my profile, but removed it when someone suggested it could be used by bad guys to crack into more sensitive personal information.

Here's what I try to do:

  • Limit my status updates to sharing content I've written, music I'm listening to or amusing things my kids say. Once in awhile, I'll take the bait and dive into a political argument, so long as it's respectful.
  • Avoid, at all costs, complaining or trash talking against others.
  • Avoid giving away details that would put my family at risk. A prime example is the new Twitter tool that lets followers see exactly where you are tweeting from. That is absolutely stupid, in my opinion. If my sons are bowling on such and such a street at a particular bowling alley, I'm not going to give away the coordinates in a tweet.
  • Avoid sharing banking information. (This seems obvious—but have you ever complained online about your bank's service or fees, thus giving away which bank you use?)
  • Avoid games like Farmville and Mafia Wars. That I find these games silly and boring is beside the point. One person's boredom is another person's fun. My bigger problem with these games is that they can put the user at risk.

That last point was made plain during a talk about social networking dangers presented at the ShmooCon conference in February.

In their talk, "Social Zombies II: Your Friends Need More Brains," security practitioners Tom Eston, Kevin Johnson and Robin Wood continued what they started in their "Social Zombies: Your Friends want to eat Your Brains" presentation at DEFCON 17.

The sad fact about games like Farmville, the presenters said, is that these applications are susceptible to malware pushers and those looking to steal your personal information. It's not much of a stretch for hackers to impersonate people you think are trusted, fellow players, as is the case with a lot of online gaming. And the more you expose about yourself, the bigger the target you become.

The presenters offered new techniques and tools used to exploit people on these social networks. They also examined how all your profile information is being used against you and eroding your privacy. "Facebook has 350 million users with 12 million logging in daily. Twitter is getting 6.2 million new users a month. The target base keeps growing," said Eston, a penetration tester for a Fortune 500 financial services organization.

In one of their more colorful examples, the trio explained how actress Jessica Biel is the most dangerous woman on the Internet because of all the fake profiles of her scattered throughout the social networking landscape. People on Twitter are easily duped into thinking Biel is following them in Twitter. The Facebook folks proudly count her among their friends, not realizing the page is really under the control of a malicious operator who wants you to click on malicious links on the page.

A year before, at the 2009 ShmooCon event, security researchers Nathan Hamiel and Shawn Moyer gave a similar talk, which is covered in the article Slapped in the Facebook: Social Networking Dangers Exposed.

"Any application can be used to attack other applications and an application can be used to view your entire file if the privacy settings are off," Hamiel said at the time. "Even if you put the privacy settings in place, you should assume you are screwed."

So what's the advice in all of this? Like I said, my social networking habits are far from perfect. But here's some advice I've heard from some smart people that you would be wise to heed:

Don't help the burglars: If you tell the world you and the entire family are going to Rome for a week, don't be shocked if you come home to find the place burglarized.

Don't let Twitter give away your whereabouts: Call it an overreaction, but letting Twitter show off the exact location you're tweeting from is insane. Absolutely nothing good can come of it unless you are looking to kidnap someone (or be kidnapped).

If you must play Farmville, know the risks: Some of my closest friends and family members play these Facebook games, including a couple folks who are very savvy security professionals. My suggestion isn't that these games are only for the stupid among us. The suggestion, rather, is that when playing these games, you have to be very careful about the data you're allowing the application to access.

Also see Facebook, Twitter Attacks Tripled in 2009

Look over the privacy settings and lock 'em down as tightly as possible.

Oh, and if you have to look at models in skimpy clothing, you're better off buying a magazine at the corner smoke shop. If a drop-dead gorgeous bikini model is asking you to friend them on Facebook, chances are better than average that the real person behind the profile wants to scam you.

We have no choice but to think of cyberspace as the real world now. It's all become too intertwined to think of it as anything else. If you avoid dark alleys at night in the real world, you should avoid dark alleys online.

Copyright © 2010 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)